Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.42 nat problems

Hi

Configuring an asa 5505 with 8.42 software.

I need to access an https server on the inside via the outside interface.

I have moved the http server enable to port 10443

Tried to make a "network object nat rule"

Have even checked the video :-)

I cant get access.

Packet tracer points to the nat rule.

object network Vejrstation

host 192.168.4.15

object network Vejrstation

nat (any,outside) static interface service tcp https https object network Vejrstation
nat (any,outside) static interface service tcp https https

Where do i do wrong ?

1 ACCEPTED SOLUTION

Accepted Solutions
Red

ASA 8.42 nat problems

The packet-tracer shows everything is fine, is it still not working??

Varun

Thanks, Varun Rao Security Team, Cisco TAC
21 REPLIES
New Member

ASA 8.42 nat problems

The log says

3Nov 25 201106:03:49188.177.226.89343683.89.223.42443TCP access denied by ACL from 188.177.226.89/3436 to outside:83.89.223.42/443

access-list outside_access_in extended permit object https any object Vejrstation

but why ?

No hits on the accesslist

ASA 8.42 nat problems

nat (inside,outside)  use this as you said server is in inside zone .

Thanks

Ajay

New Member

ASA 8.42 nat problems

I hve tried that, same result exept that the tracer says ok

ASA 8.42 nat problems

change you outside ACL as well since packet is not directly coming for 192.168.4.15.

You should allow acl for public IP which is going to be mapped.

New Member

ASA 8.42 nat problems

Not according to the video.... but i have tried that

ASA 8.42 nat problems

Post you full config.

New Member

ASA 8.42 nat problems

: Saved
:
ASA Version 8.4(2)
!
hostname xxxxxxxxxx
enable password EnFClNY/JeYR4dhI encrypted
passwd EnFClNY/JeYR4dhI encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.4.6 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.89.223.42 255.255.255.252
!
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.8.0-6
subnet 192.168.8.0 255.255.255.248
object network obj-192.168.18.0
subnet 192.168.18.0 255.255.255.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network obj-192.168.15.0
subnet 192.168.15.0 255.255.255.0
object network obj-192.168.251.0
subnet 192.168.251.0 255.255.255.0
object service https
service tcp destination eq https
object service 4001
service tcp destination eq 4001
object network Vejrstation
host 192.168.4.15
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.8.0 255.255.255.248
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit tcp any object Vejrstation eq https
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered warnings
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool vpnklient 192.168.4.51-192.168.4.55
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.4.0 obj-192.168.4.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.8.0-6 obj-192.168.8.0-6 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.18.0 obj-192.168.18.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.15.0 obj-192.168.15.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.251.0 obj-192.168.251.0 no-proxy-arp
nat (inside,outside) source dynamic any interface
!
object network Vejrstation
nat (inside,outside) static interface service tcp https https
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.89.223.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 10443
http 192.168.1.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 inside
http 188.177.226.88 255.255.255.248 outside
http 188.120.69.106 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpnswarcolan esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set vpnklientswarco esp-aes-256 esp-md5-hmac
crypto dynamic-map vpnklientswarco 10 set ikev1 transform-set vpnklientswarco
crypto map partnermap 200 match address 200
crypto map partnermap 200 set pfs group1
crypto map partnermap 200 set peer 93.162.119.26 89.88.87.89
crypto map partnermap 200 set ikev1 transform-set vpnswarcolan
crypto map partnermap 65535 ipsec-isakmp dynamic vpnklientswarco
crypto map partnermap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash md5
group 1
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh 87.48.245.198 255.255.255.255 outside
ssh 188.120.69.106 255.255.255.255 outside
ssh 188.177.226.88 255.255.255.248 outside
ssh timeout 60
console timeout 0
management-access inside

dhcpd dns 194.239.134.83 193.162.153.164
!
dhcpd address 192.168.4.190-192.168.4.220 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnklientswarco internal
group-policy vpnklientswarco attributes
dns-server value 194.239.134.83 193.162.153.164
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
username swarco password .FRI9vfYdLduSJia encrypted privilege 15
username jep-it password 1aqZEKKMU1dntc85 encrypted privilege 15
tunnel-group 93.162.119.26 type ipsec-l2l
tunnel-group 93.162.119.26 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group vpnklientswarco type remote-access
tunnel-group vpnklientswarco general-attributes
address-pool vpnklient
default-group-policy vpnklientswarco
tunnel-group vpnklientswarco ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 89.88.87.89 type ipsec-l2l
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dec4c88475f8dd4ceeaebc23b2f4cf94
: end
asdm image disk0:/asdm-645.bin
no asdm history enable

Red

ASA 8.42 nat problems

Hi,

Thses shpould be your configuration:

object network Vejrstation

host 192.168.4.15

object service tcp_https

  service tcp destination eq 443

nat (outside,inside) source static any any destination static interface Vejrstation service tcp_https tcp_https

access-list outside_access_in extended permit any object Vejrstation eq 443

access-group outside_access_in in interface outside

This should do, if not then you would need to check which party is not responding by using captures. Also can you post the output of packet-tracer???

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 8.42 nat problems

ASA 8.42 nat problems

Varun,

Just wondering why it should be nat (outside,inside) as you suggested.

isnt he is trying to map internal ip with interface IP of outside interface for redirection.

I can only see one thing here that the access is blocked from outside .

Also capture should be there sourced from outside.

Thanks

Ajay

New Member

ASA 8.42 nat problems

Capture was sourced from autside

New Member

ASA 8.42 nat problems

ASA 8.42 nat problems

Do not put private IP that wont work .

Please edit your outside ACL to allow source any destination 83.89.223.42 eq 443

Red

ASA 8.42 nat problems

Hi Ajay,

He has done it correct, in 8.3, you don't use public ip of the , instead you use the private ip, because order of operation has changed, first the packet is un-natted and then the access-list is hit.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Red

ASA 8.42 nat problems

Hi Ajay,

8.3 nat is all flow based nat, the one that was used earlier is called auto nat and the one I used i manual nat. My nat statement means, any source coming from outside, should be translated to itself, if it is hitting the outside interface on port 443 and that shoudl be translted to the internal ip. It's still the same thing.

Please try this:

packet-tracer input outside tcp 4.2.2.2 23456 443 detailed.

and please paste that here.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC

ASA 8.42 nat problems

Thanks Varun.

Another question comes here as he has shown log any packet comes for public IP (interface) on port 443 is getting denied.

New Member

ASA 8.42 nat problems

packet-tracer input outside tcp 4.2.2.2 23456 83.89.223.42 443                                                              $ tcp 4.2.2.2 23456 83.89.223.42 443                                                   detailed                                             packet-tracer input outside tcp 4.2.2.2 23456 83.89.223.42 44$   

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Vejrstation
nat (inside,outside) static interface service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate 83.89.223.42/443 to 192.168.4.15/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Vejrstation eq http
s
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb395078, priority=13, domain=permit, deny=false
hits=8, user_data=0xc94ddbd0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.15, mask=255.255.255.255, port=443, dscp=0x0
<--- More --->               input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb36e208, priority=0, domain=inspect-ip-options, deny=true
hits=200, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb332e68, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=170, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
<--- More --->               src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb3478d8, priority=0, domain=host-limit, deny=false
hits=23, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Vejrstation
nat (inside,outside) static interface service tcp https https
<--- More --->              Additional Information:
Forward Flow based lookup yields rule:
out id=0xcbebe160, priority=6, domain=nat-reverse, deny=false
hits=8, user_data=0xcbebe4d0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.15, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xcb343f80, priority=0, domain=inspect-ip-options, deny=true
hits=35, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
<--- More --->              Result: ALLOW
Config:
Additional Information:
New flow created with id 215, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
<--- More --->              input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

New Member

ASA 8.42 nat problems

Seems like i have traffic throgh now.

Don't really kbow why ;-)

Red

ASA 8.42 nat problems

The packet-tracer shows everything is fine, is it still not working??

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 8.42 nat problems

I changed the dynamic nat to a network object rule.

Looks like that did a difference.

Red

ASA 8.42 nat problems

Hi,

In 8.3 nat, the order of operation of traffic for nat rules is, first the manual nat is hit and then the auto nat, when you had configured the dynamic nat as auto nat, it might have been hitting it everytime instead of the static rule that you had configured as object nat, deleting it and moving it down in the nat list made the difference.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
1281
Views
0
Helpful
21
Replies
CreatePlease login to create content